The security team has flagged Tomcat for vulnerabilities CVE-2025-31650 and CVE-2025-31651. Is Applications Manager and Tomcat affected by these vulnerabilities?

Applications Manager 9.4 and above

For Applications Manager 9.4 - 9.4.4 HF2:

Upgrade to Tomcat version 10.1.40 or higher. If needed, refer to Upgrading or updating Tomcat.

For Applications Manager 9.5 - 9.5.3:

Upgrade to Tomcat version 10.1.40 or higher. If needed, refer to Upgrading or updating Tomcat.
Upgrade to Tomcat version 11.0.6 or higher. If needed, refer to Upgrading or updating Tomcat. (NOTE - REQUIRES JAVA 17 or OpenJDK 17)

For Applications Manager 9.6:

Applications Manager includes a integrated webserver based on Tomcat. However, this is the not full Tomcat application. Applications Manager only uses a number of Tomcat libraries provided by the Spring framework.

With this usage, while the integrated webserver is not vulnerable to CVE-2025-31650 and CVE-2025-31650, any Tomcat library in the $AW_HOME directory or sub-directory being flagged by your scanning tool will need to be whitelisted.